{
	"id": "e9c07c8d-a390-45b9-9fa2-e88a2053bf82",
	"created_at": "2026-04-06T02:11:06.659696Z",
	"updated_at": "2026-04-10T13:12:26.609885Z",
	"deleted_at": null,
	"sha1_hash": "8799e2774265912617a2476b025e786bf865e8c8",
	"title": "Using ABAC Authorization",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68326,
	"plain_text": "Using ABAC Authorization\r\nBy Authorization Algorithm\r\nArchived: 2026-04-06 01:54:57 UTC\r\nAttribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to\r\nusers through the use of policies which combine attributes together.\r\nPolicy File Format\r\nTo enable ABAC mode, specify --authorization-policy-file=SOME_FILENAME and --authorization-mode=ABAC on startup.\r\nThe file format is one JSON object per line. There should be no enclosing list or map, only one map per line.\r\nEach line is a \"policy object\", where each such object is a map with the following properties:\r\nVersioning properties:\r\napiVersion , type string; valid values are \"abac.authorization.kubernetes.io/v1beta1\". Allows\r\nversioning and conversion of the policy format.\r\nkind , type string: valid values are \"Policy\". Allows versioning and conversion of the policy\r\nformat.\r\nspec property set to a map with the following properties:\r\nSubject-matching properties:\r\nuser , type string; the user-string from --token-auth-file . If you specify user , it must\r\nmatch the username of the authenticated user.\r\ngroup , type string; if you specify group , it must match one of the groups of the\r\nauthenticated user. system:authenticated matches all authenticated requests.\r\nsystem:unauthenticated matches all unauthenticated requests.\r\nResource-matching properties:\r\napiGroup , type string; an API group.\r\nEx: apps , networking.k8s.io\r\nWildcard: * matches all API groups.\r\nnamespace , type string; a namespace.\r\nEx: kube-system\r\nWildcard: * matches all resource requests.\r\nresource , type string; a resource type\r\nEx: pods , deployments\r\nWildcard: * matches all resource requests.\r\nNon-resource-matching properties:\r\nnonResourcePath , type string; non-resource request paths.\r\nEx: /version or /apis\r\nhttps://kubernetes.io/docs/reference/access-authn-authz/abac/\r\nPage 1 of 4\n\nWildcard:\r\n* matches all non-resource requests.\r\n/foo/* matches all subpaths of /foo/ .\r\nreadonly , type boolean, when true, means that the Resource-matching policy only applies to get,\r\nlist, and watch operations, Non-resource-matching policy only applies to get operation.\r\nNote:\r\nAn unset property is the same as a property set to the zero value for its type (e.g. empty string, 0, false). However,\r\nunset should be preferred for readability.\r\nIn the future, policies may be expressed in a JSON format, and managed via a REST interface.\r\nA request has attributes which correspond to the properties of a policy object.\r\nWhen a request is received, the attributes are determined. Unknown attributes are set to the zero value of its type\r\n(e.g. empty string, 0, false).\r\nA property set to \"*\" will match any value of the corresponding attribute.\r\nThe tuple of attributes is checked for a match against every policy in the policy file. If at least one line matches the\r\nrequest attributes, then the request is authorized (but may fail later validation).\r\nTo permit any authenticated user to do something, write a policy with the group property set to\r\n\"system:authenticated\" .\r\nTo permit any unauthenticated user to do something, write a policy with the group property set to\r\n\"system:unauthenticated\" .\r\nTo permit a user to do anything, write a policy with the apiGroup, namespace, resource, and nonResourcePath\r\nproperties set to \"*\" .\r\nKubectl\r\nKubectl uses the /api and /apis endpoints of apiserver to discover served resource types, and validates\r\nobjects sent to the API by create/update operations using schema information located at /openapi/v2 .\r\nWhen using ABAC authorization, those special resources have to be explicitly exposed via the nonResourcePath\r\nproperty in a policy (see examples below):\r\n/api , /api/* , /apis , and /apis/* for API version negotiation.\r\n/version for retrieving the server version via kubectl version .\r\n/swaggerapi/* for create/update operations.\r\nTo inspect the HTTP calls involved in a specific kubectl operation you can turn up the verbosity:\r\nhttps://kubernetes.io/docs/reference/access-authn-authz/abac/\r\nPage 2 of 4\n\nkubectl --v=8 version\r\nExamples\r\n1. Alice can do anything to all resources:\r\n{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"user\": \"alice\", \"\r\n2. The kubelet can read any pods:\r\n{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"user\": \"kubelet\"\r\n3. The kubelet can read and write events:\r\n{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"user\": \"kubelet\"\r\n4. Bob can just read pods in namespace \"projectCaribou\":\r\n{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"user\": \"bob\", \"na\r\n5. Anyone can make read-only requests to all non-resource paths:\r\n{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"group\": \"system:a\r\n {\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"group\": \"system:u\r\nComplete file example\r\nA quick note on service accounts\r\nEvery service account has a corresponding ABAC username, and that service account's username is generated\r\naccording to the naming convention:\r\nsystem:serviceaccount:\u003cnamespace\u003e:\u003cserviceaccountname\u003e\r\nCreating a new namespace leads to the creation of a new service account in the following format:\r\nsystem:serviceaccount:\u003cnamespace\u003e:default\r\nFor example, if you wanted to grant the default service account (in the kube-system namespace) full privilege to\r\nthe API using ABAC, you would add this line to your policy file:\r\nhttps://kubernetes.io/docs/reference/access-authn-authz/abac/\r\nPage 3 of 4\n\n{\"apiVersion\":\"abac.authorization.kubernetes.io/v1beta1\",\"kind\":\"Policy\",\"spec\":{\"user\":\"system:serviceaccount\r\nThe apiserver will need to be restarted to pick up the new policy lines.\r\nLast modified February 18, 2024 at 10:07 AM PST: Reorder authn/authz pages (9f327512c6)\r\nSource: https://kubernetes.io/docs/reference/access-authn-authz/abac/\r\nhttps://kubernetes.io/docs/reference/access-authn-authz/abac/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://kubernetes.io/docs/reference/access-authn-authz/abac/"
	],
	"report_names": [
		"abac"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441466,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8799e2774265912617a2476b025e786bf865e8c8.pdf",
		"text": "https://archive.orkl.eu/8799e2774265912617a2476b025e786bf865e8c8.txt",
		"img": "https://archive.orkl.eu/8799e2774265912617a2476b025e786bf865e8c8.jpg"
	}
}